By David Copland, Vice President at Kinetic Partners, a division of Duff & Phelps
Banks, asset managers and hedge funds have made a slow start in addressing the regulations and guidelines on cyber security promoted by the Securities and Futures Commission of Hong Kong (SFC) and the U.S. Securities and Exchange Commission (SEC). However, even in the wake of several high-profile breaches at companies including Sony, Target and JP Morgan Chase in 2014, the financial services industry’s response to security has been largely reactive.
Firms that have never experienced a significant cyber security breach in their organisation may feel thatthis problem only happens to ‘someone else’. As such, the sense of urgency to take preventative action is often noticeably absent. A study conducted by Risk Based Security, a leading information technology solutions provider, revealed that there were 1,922 data breaches reported and 904 million records exposedwithin the first nine months of 2014. Moreover, the number of security breaches is accelerating. Statistically speaking, the odds of your company being subjected to a security breach are now very real.
Remarkably, many companies still have weak security for computer user account authentication, opening the firm up to significant vulnerability. One common example is the‘password reset’ on web-based applications. Password resets that can be achieved by answering fixed questions represent a weak link in security, especiallywhen potential answers can be discovered with relative ease(e.g. a mother’s maiden name ora favourite pet’s name). The majority of cyber attacks can often be thwarted simply by strengthening these basic security controls, and by ensuring that anti-virus programmes, firewalls and site advisor programmes are regularly updated. Some new attacks may still get through, but the scope of such breaches can be limited to just one machine if sensible firewall rules are applied.
Relying on such good fortune is not a sound security strategy, however. It is imperative that firms prioritise investment in security measures and technologies,as attention in this area is vital for ensuring that the company is adequately protected from attack. After all, indifference to cyber security will not only result in a warning or a fine from the regulator, but could also cause serious damage to the business through the loss or theft of information. The initial costs of adequate cyber defence and infrastructure measures in the short run pale in comparison to the possible losses a firm would incur in the event of a breach.
When such security breaches are made public, the results can often be catastrophic. As such, CEOs, COOs and senior management need to be made aware of the possible consequences of cyber threats. For example, consider the impact of just these three threats:
- Denial of serviceattack. Thistype of attack can quicklyoverwhelm your IT network by consuming all of its capacity,preventing any trade orders from beingexecuted. Emails can’t be sent or received and information on your trading activity cannot be reported. As such, for a period of time, your IT assets may effectively be unusable, thusparalysingbusiness activity altogether.
- Cyber espionage from the internet.In this scenario, your network is scanned and sensitive data regarding clients or investmentsis stolen and put into the public domain. This will certainly attract regulatory attention and will no-doubt damage future business opportunities as well as reputation. Incidents like these tripled during 2014.
- Internal theft of key information. Information on intellectual property (such as research and trading strategies)can be stolen via USB sticks, emailed to a personal email account, or sentto what appears to be legitimate third-party. The consequences of such a breach may be severe if the information is used or revealed in the public domain.
In order to combat the above threats, many firms assume that complex defence technology solutions are required. However, the truth is that very simple security solutions can normally be applied. Quick preventative measures that defend against 99% of network security threats include a review or update of the configuration status of your operating system, your security software and the enforcement of security procedures.
Numerous security principles and solutions can then be implemented to address the remaining 1% of truly dangerous threats, such as stronger authentication methods, data loss prevention software, more robust data encryption techniques and the use of dedicated intrusion detection systems, to name a few.
Faced with so many options and tools, it can be difficult to know where to start. Firms risk overspending in this area – and could still end up leaving the company exposed to cyber security threats – unless they first assess what the biggest security threats are for their business.
Drawing on industry guidance by the National Institute of Standards & Technology (NIST)and the Office of Compliance Inspections and Examinations (OCIE) in the U.S., financial services firms can address this issue by implementing a comprehensive gap analysis and subsequently applying a risk-based approach to identify the key cyber security threats.
This approach involves performing an IT threat and vulnerability pair risk analysis, a type of analysisalready enforced by Monetary Authority of Singapore (MAS), the Singapore financial regulator. This will not only make it much easier forfirms to defend their key information assets, but will also help the firm build an on-going security implementation plan that covers the aspects of security that regulators will want to see .
The recent SEC alerts as well as thecircular that the SFC published on cyber security recommend that registered entities need to do more, and regulators have alreadyflaggedan extensive number of items for priority review. As a result, simply ‘doing nothing’ in response to the growing number of cyber threats is clearly a dangerous strategy.
Cyberspacehas moved beyond a supporting infrastructure and has become abattleground instead.Crucially, defending against yesterday’s attacks is not enough; firms need to shift their focus to the proactive management of security threats and vulnerabilities that matter to their particular business, rather than simply mirror what others are doing.
Firms need to stay ahead of the curve by identifying and addressing any threats to their most important information assets. In addition, they must implement and enforce appropriate security procedures and policies,as well as the right security technology, to mitigate whatever threats have been identified. Ranking the top cyber threats to the business will also ensure the level of technology spending is controlled.
A risk-based security strategy, underpinned by international standards, and which includes a comprehensive security gap analysis, remains the best way for firms to shape their cyber security solution. With this approach, firms will be in a much stronger position to protect their clients, their trading data and their portfolio information assets.